GOVERNMENTQUANTUM RISK

Federal agencies face the most explicit post-quantum cryptography timeline of any sector. National Security Memorandum 10, issued in May 2022, directed federal agencies to inventory cryptographic systems and plan migration to post-quantum algorithms. Office of Management and Budget Memorandum M-23-02, issued in November 2022, required agencies to submit those inventories through a defined format and to prioritize migration of the most vulnerable systems. National Security Agency Commercial National Security Algorithm Suite 2.0 sets specific algorithms, parameter sets, and a 2035 transition deadline for National Security Systems. Cybersecurity and Infrastructure Security Agency published planning guidance for critical infrastructure sectors that extends the framework beyond direct federal operations.

Petronella Technology Group helps federal agencies, state and local government, and government contractors meet these requirements. We have been serving regulated clients in the Raleigh and Research Triangle area since 2002, maintain Better Business Bureau A+ accreditation in good standing since 2003, and are a CMMC-AB Registered Provider Organization under RPO-1449. Our team holds CMMC Registered Practitioner credentials across the board and Craig Petronella personally holds CMMC-RP, Certified Forensic Examiner (DFE 604180), CCNA, and CWNE credentials.

For state and local agencies, the federal mandates cascade through grant conditions, shared infrastructure, federal information exchange requirements, and the broader policy example that state chief information officers watch. State RAMP and state-specific security frameworks will integrate post-quantum expectations as federal requirements mature, which means state and local agencies that start planning now are much better positioned than those that wait.

NSM-10 directed the federal government to begin the transition to quantum-resistant cryptographic standards. The memorandum assigned responsibilities across the Department of Homeland Security, the National Security Agency, the National Institute of Standards and Technology, and the agency chief information officer community. It also established the preliminary timelines for inventory work, standardization adoption, and eventual transition. OMB M-23-02 operationalized the inventory requirement by setting a specific format, requiring annual updates through 2035, and assigning the Office of Management and Budget and the CISA National Cyber Director as the oversight authorities for compliance.

The inventory format is specific. Agencies must submit cryptographic systems categorized by algorithm, by protocol, by system criticality, and by migration priority. Agencies must then update the inventory annually with progress reports. This is a substantial recurring workload that agencies with limited cybersecurity staff can struggle to produce, and it is one of the most common reasons agencies engage outside support.

Our engagement for federal agencies produces the initial inventory in the OMB-required format, documents the methodology so that the inventory can be maintained by internal staff on an ongoing basis, and sets up the annual refresh process so that each subsequent year is a lower-effort update rather than a repeat of the initial work. For agencies with mature cybersecurity programs we often deliver just the methodology and quality-assurance review rather than producing the inventory ourselves.

National Security Systems are subject to the Commercial National Security Algorithm Suite 2.0 rather than to the general federal post-quantum transition framework. CNSA 2.0 specifies the approved algorithms. ML-KEM-1024 for key encapsulation, ML-DSA-87 for digital signatures, AES-256 for symmetric encryption, and SHA-384 or SHA-512 for hashing. These parameter choices reflect the higher security level required for national security work. CNSA 2.0 also sets the transition timeline, with specific adoption requirements phased through the back half of the 2020s and into the early 2030s, culminating in full transition by 2035.

Agencies whose scope includes NSS work need to segregate NSS cryptographic policy from the broader federal post-quantum policy. The same environment cannot run ML-KEM-768 for Controlled Unclassified Information and ML-KEM-1024 for NSS without explicit segmentation. Our engagement designs the segmentation, documents it for assessor review, and integrates it with the existing authorization boundary so that the cryptographic scope matches the authorization scope.

State and local agencies face a different profile than federal agencies. The direct mandates under NSM-10 and OMB M-23-02 do not apply, but the practical obligations cascade through several channels. Federal grants often carry security requirements that reference NIST standards, which means state agencies accepting federal grants for law enforcement, transportation, public health, education, or emergency management often inherit post-quantum expectations. Shared federal-state information exchanges, such as the Next Generation Identification system, require state participants to maintain cryptographic configurations aligned with federal partners.

State RAMP, the state-government analog of FedRAMP, integrates NIST standards by reference and will track post-quantum updates as NIST guidance matures. State chief information officer communities follow federal CIO practice, which means the policy conversation at the state level mirrors the federal conversation on a delayed cadence. Our engagement for state and local clients maps the grant portfolio, federal-state shared systems, and state-specific requirements to produce a roadmap that respects the specific obligation mix.

For counties and municipalities, the scope is different again. County government handles sensitive citizen data including property records, court records, tax records, and public health records. Municipal utilities, court systems, police and fire radio communications, and public safety data exchange all have cryptographic configurations that affect quantum posture. Our engagement for smaller government clients runs a compressed version of the methodology focused on the highest-consequence systems rather than the full inventory.

Critical infrastructure operators under the 16 sectors defined in Presidential Policy Directive 21 receive specific post-quantum guidance from the Cybersecurity and Infrastructure Security Agency. Water and wastewater utilities, electrical grid operators, transportation systems, and communications carriers each have sector-specific coordinating councils that publish planning materials and track sector-level progress. Our engagement for critical infrastructure clients integrates the CISA sector guidance into the specific roadmap for that client, documents the specific industrial control system and operational technology constraints that shape the migration sequence, and produces the sector coordinating council talking points that demonstrate your organization is actively engaged in the sector-wide response.

Industrial control systems and operational technology are the hardest part of a critical infrastructure post-quantum migration. Device lifetimes commonly exceed twenty years. Firmware updates are infrequent and often require extensive interoperability testing. Safety-rated systems cannot be updated casually. For these environments we design compensating controls rather than attempt the impossible replacement work, and we document the compensating controls for CISA and for sector regulator review.

Federal systems operate under an authorization to operate granted by a specific authorizing official based on the documented security posture. Cryptographic changes that affect the authorization boundary can trigger re-authorization, which is a significant effort and can delay the migration program. Our engagement explicitly reviews the authorization implications of each proposed cryptographic change so that the migration plan avoids inadvertent re-authorization triggers where possible and explicitly schedules them where unavoidable. This is often the difference between a migration plan that actually executes on schedule and one that stalls when the first boundary change triggers unexpected reauthorization work.

For cloud-hosted federal systems under FedRAMP, the cryptographic changes also require coordination with the Third Party Assessment Organization that performs continuous monitoring review. We produce the specific 3PAO-facing language that supports a clean continuous monitoring cycle so that post-quantum migration work does not create authorization instability during the transition.

Agencies operating general support systems across multiple authorization boundaries need careful scope management. We document which authorization boundaries are affected by each migration phase and we sequence the phases so that authorization work distributes evenly rather than clustering in one fiscal quarter. For agencies with limited assessment capacity this sequencing is the practical constraint that shapes the roadmap more than any algorithmic question.

Federal procurement plays a major role in driving post-quantum adoption. Agencies that include post-quantum cryptography requirements in solicitations accelerate vendor adoption broadly, and agencies that do not include such requirements end up inheriting classical cryptography through new systems that will themselves need migration within a few years. Our engagement produces procurement language that can be inserted into solicitations for new systems, for hardware refresh, and for major software purchases. The language is calibrated to be achievable by current vendors without being so specific that it locks agencies into a narrow vendor set.

For agencies using General Services Administration schedules, we track the specific schedule item updates that incorporate post-quantum requirements and we identify the schedule items that have not yet caught up. This practical knowledge saves agencies substantial procurement planning time because the post-quantum readiness landscape varies significantly across vendors and across schedule categories.

Phase 1: Mandate Scope

We confirm the specific mandate set that applies. For federal agencies that typically means NSM-10, OMB M-23-02, NIST SP 800-53, NSA CNSA 2.0 if NSS is in scope, and any agency-specific cybersecurity policy. For state agencies it means the applicable federal grant security conditions, any State RAMP obligations, and state-specific cybersecurity rules. For critical infrastructure operators it includes CISA sector guidance and any sector-specific regulator expectations.

Phase 2: Cryptographic Inventory

The cryptographic inventory covers every in-scope system documented against the OMB-required format for federal agencies or the equivalent format appropriate for state, local, or critical infrastructure clients. For each instance we document algorithm, parameter, module, CMVP validation status, data classification, system criticality, and migration priority. The inventory is structured to support annual refresh with minimal additional effort.

Phase 3: Migration Roadmap and Budget

The roadmap is sequenced by system criticality, by data sensitivity, and by federal mandate priority. Budget envelopes are calibrated against typical government procurement and capital planning cycles. We produce language for the next budget submission that explains the quantum migration requirement in terms that legislative and executive budget reviewers will understand.

Phase 4: Evidence and Handoff

The final phase produces the evidence package for OMB submission, the internal documentation that supports ongoing cryptographic inventory maintenance, and the governance artifacts that your inspector general, your legislative oversight committee, or your sector regulator will expect during review. We schedule a 90-day follow-up to check adoption.

Post-quantum migration is multi-year work and the mandate set will continue to shift. We offer an ongoing retainer that covers quarterly review calls, annual refresh support for the OMB-required inventory, updates to the roadmap as NIST and CISA guidance evolves, and a fast path to pull in deeper expertise when a specific migration phase is about to begin. For federal agencies and critical infrastructure operators the continuity preserves context and lets the roadmap adjust in real time rather than requiring a fresh engagement each year.

The retainer also includes support for inspector general or oversight reviews that touch on cryptographic readiness. Oversight reviews are scheduled on cycles that do not always align with agency operational calendars, and having a partner who already knows the environment accelerates the response. For critical infrastructure operators the retainer covers participation in sector coordinating council discussions and tracks the emerging sector-specific guidance so that your internal team does not have to monitor multiple channels for quantum-relevant updates.

Our government engagements cite the NIST Post-Quantum Cryptography Project publications, FIPS 203 through 206 for algorithm guidance, NIST SP 800-131A for transition planning, NIST IR 8547 for transition planning specifically, NIST SP 800-53 for the control catalog, NSA CNSA 2.0 for NSS guidance, NSM-10 for the overall federal transition framework, OMB M-23-02 for the inventory format and annual refresh requirement, CISA sector-specific materials for critical infrastructure clients, and FedRAMP baseline controls where applicable. Every recommendation traces to a citable public source so that your inspector general, your legislative oversight committee, or your sector regulator can validate the work.

Government quantum engagements are led by senior consultants with applied cryptography and federal or state cybersecurity experience. Petronella Technology Group is a CMMC-AB Registered Provider Organization (RPO-1449), our team holds CMMC Registered Practitioner credentials, and Craig Petronella holds CMMC-RP, DFE 604180, CCNA, and CWNE. We have been serving regulated clients in the Raleigh and Research Triangle area since 2002. For a walkthrough of fit, call 919-348-4912 or submit the contact form. See CMMC compliance for defense contractor work and cybersecurity program for broader operational support. See defense contractor quantum risk for engagements specific to the Defense Industrial Base, and quantum-safe compliance audit for the dedicated audit program.

We work across federal civilian agencies, state government agencies, county and municipal government, state and local law enforcement, water and wastewater utilities, electrical cooperatives, transportation authorities, and critical infrastructure operators. The scope differs substantially across these client types and the engagement is calibrated accordingly. We do not try to force a single methodology onto organizations with very different missions and operational contexts. We take time to understand the mandate set, the operational tempo, and the governance structure before we propose scope, and we adjust the work as we learn more during execution. Government quantum migration is too consequential to run with a boilerplate approach, and we will not pretend otherwise just to win the engagement faster. The public interest is served by honest scoping, and we will tell you directly if the timing is not right for your agency this year, or if foundational cybersecurity work should come first before a quantum-specific engagement makes sense.